Astro Open Redirect Vulnerability in Trailing Slash Handling

A vulnerability allowing open redirects has been identified in the Astro web framework, specifically in versions 5.2.0 through 5.12.7. The issue arises in the trailing slash redirection logic, particularly when the framework encounters paths with double slashes. This flaw enables attackers to redirect users to arbitrary external sites by crafting specific URLs. The vulnerability is present in sites using on-demand rendering with the Node or Cloudflare adapters, but does not affect static sites or those deployed on Netlify or Vercel.

Impact

Exploitation of this vulnerability allows for open redirection, where users can be sent to malicious external sites under the guise of a trusted domain. This could facilitate phishing attacks or other social engineering schemes.

Reproduction

To reproduce this vulnerability, create a URL that includes double slashes and points to a target domain of choice. Ensure that the Astro site is configured to use the Node or Cloudflare adapter and that the 'trailingSlash' option is set to either 'always' or 'never'. When the crafted URL is accessed, the site will redirect to the specified external domain, demonstrating the open redirect vulnerability.

Remediation

Users can upgrade to Astro version 5.12.8, where this vulnerability has been patched. Additionally, at the network level, outgoing redirect responses can be blocked if the 'Location' header value begins with a double slash.